You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 85 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - MHTMLRedir.Exploit [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
chukar
Nuke Cadet
Nuke Cadet


Joined: Nov 19, 2004
Posts: 7


PostPosted: Fri Nov 19, 2004 4:33 pm Reply with quoteBack to top

Thanks, actually I have two sites with the same problem:

http://my.powa.org/

http://my.poetryexpress.org/

Any help would be appreciated.
Find all posts by chukarView user's profileSend private message
jacebenson
Nuke Cadet
Nuke Cadet


Joined: Nov 01, 2003
Posts: 6


PostPosted: Fri Nov 19, 2004 5:59 pm Reply with quoteBack to top

Help... idont know what going on... I have a business... and well the site is now giving this trojan... So its in a sub directory until this gets resolved... So I know this may be asking alot but Support Moderators come out with a fix please. Also. If you could look at my code the site is at http://monsterden.com/v-web/portal/73/oldindex.php


Thanks a ton In advance....

ps... whoops dbl post please delete first.


Last edited by jacebenson on Sat Nov 20, 2004 3:53 am; edited 1 time in total
Find all posts by jacebensonView user's profileSend private message
chukar
Nuke Cadet
Nuke Cadet


Joined: Nov 19, 2004
Posts: 7


PostPosted: Fri Nov 19, 2004 6:58 pm Reply with quoteBack to top

I have checked my database and haven't noticed anything unusual. But maybe I'm not looking in the right place.

http://my.powa.org/

http://my.poetryexpress.org/
Find all posts by chukarView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Fri Nov 19, 2004 6:59 pm Reply with quoteBack to top

Seems the same hack - please read my posts. Simple steps: check your database and delete the added content from your footer fields. Apply security

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Fri Nov 19, 2004 11:23 pm Reply with quoteBack to top

Doing some more digging, I see that these hacks all come from the range 61.78.61.*

These addresses are all registered under KOREA TELECOM Internet Operating Center. 61.78.0.0 - 61.85.255.255

I will be banning the first part - if worse comes to worse, ban the entire range.

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
jacebenson
Nuke Cadet
Nuke Cadet


Joined: Nov 01, 2003
Posts: 6


PostPosted: Sat Nov 20, 2004 3:55 am Reply with quoteBack to top

on my site listed above is this the code I am looking for?
Code:
<script language='JavaScript'>eval(String.fromCharCode(*********CODE REMOVED BY ADMIN *************</script>

??? I looked in the DB Didnt' see anything, I am not sure what I am looking for.
Find all posts by jacebensonView user's profileSend private message
sting
Site Admin
Site Admin


Joined: Jul 24, 2003
Posts: 1986

Location: Apparently ALWAYS Online. . .

PostPosted: Sat Nov 20, 2004 6:36 am Reply with quoteBack to top

jacebenson wrote:
on my site listed above is this the code I am looking for?
Code:
<script language='JavaScript'>eval(String.fromCharCode(*********CODE REMOVED BY ADMIN *************</script>

??? I looked in the DB Didnt' see anything, I am not sure what I am looking for.


I took the liberty of removing that, as yes, it is the code you are looking for. Remove that and you should be good.

I saw this last night, looks like someone found another sql injection exploit.

-sting

_________________
Is it paranoia if they are really out to get you?

-------------------------------------------------------
sting usually hangs out at nukehaven.net
Find all posts by stingView user's profileSend private messageVisit poster's websiteAIM AddressYahoo MessengerMSN MessengerICQ Number
kewlbrew
Nuke Soldier
Nuke Soldier


Joined: Sep 03, 2004
Posts: 22


PostPosted: Sat Nov 20, 2004 6:42 am Reply with quoteBack to top

I cant find it in my db either.. Where do you remove the code from?
Find all posts by kewlbrewView user's profileSend private message
kewlbrew
Nuke Soldier
Nuke Soldier


Joined: Sep 03, 2004
Posts: 22


PostPosted: Sat Nov 20, 2004 7:11 am Reply with quoteBack to top

ok I did find it in my copyright. How I did it was search my databases for the string and you have to look for it in full text mode. Maybe this will help someone.

thanks for your help everyone
Find all posts by kewlbrewView user's profileSend private message
patrad
Nuke Cadet
Nuke Cadet


Joined: Nov 20, 2004
Posts: 2


PostPosted: Sat Nov 20, 2004 9:30 am Reply with quoteBack to top

can someone please check mine? I'm new to really diggin into Nuke. I am minorly proficeint in PHP but can't figure out where the nasty code is.

www.tauomegaphi.com
Find all posts by patradView user's profileSend private message
patrad
Nuke Cadet
Nuke Cadet


Joined: Nov 20, 2004
Posts: 2


PostPosted: Sat Nov 20, 2004 9:59 am Reply with quoteBack to top

thank you I found it in my copyright. . . thanks for the db search suggestion.
Find all posts by patradView user's profileSend private message
chukar
Nuke Cadet
Nuke Cadet


Joined: Nov 19, 2004
Posts: 7


PostPosted: Sat Nov 20, 2004 12:07 pm Reply with quoteBack to top

Thanks to all for your help. I finally found and removed this, and everything works fine.

For others who may have this problem and not be too familiar with php MyAdmin, here's what I did:

1. Log in to php MyAdmin
2. Select "config" from list on left
3. Select "browse" tab
4. Click "T" symbol to expand text.
5. Look for offending code (mine was in the "Copyright" section)
6. Click "Edit" to access and delete code
7. Click "Go" to save changes
8. Test your site (mine worked fine)

Best wishes to all, and special thanks to Sting and Evaders99.
Find all posts by chukarView user's profileSend private message
nopd8
Nuke Soldier
Nuke Soldier


Joined: Nov 07, 2003
Posts: 33


PostPosted: Sat Nov 20, 2004 7:11 pm Reply with quoteBack to top

Evaders99 wrote:
Doing some more digging, I see that these hacks all come from the range 61.78.61.*

These addresses are all registered under KOREA TELECOM Internet Operating Center. 61.78.0.0 - 61.85.255.255

I will be banning the first part - if worse comes to worse, ban the entire range.


I located the code in the Copyright area. Thanks to all the previous posts. Site works fine now, but how did you find what ip it came from?
Find all posts by nopd8View user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Sat Nov 20, 2004 7:23 pm Reply with quoteBack to top

These hacks were blocked by the latest Admin Secure. That's how the IP was recorded.

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
nopd8
Nuke Soldier
Nuke Soldier


Joined: Nov 07, 2003
Posts: 33


PostPosted: Sat Nov 20, 2004 7:32 pm Reply with quoteBack to top

Is there any other way. I am using Protector 1.13
Find all posts by nopd8View user's profileSend private message
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.052 Seconds - 137 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::